An ethical hacking project by a team of privacy experts has revealed a serious security flaw in one of Saudi Arabia’s most popular communication apps.
- Dalil user database is unsecured and easily accessible online;
- More than 5 million Dalil users are affected;
- Dalil continues to leave user data unsecured despite being alerted to the problem by privacy experts.
Dalil has been downloaded more than 5 million times. 96% of its users are from Saudi Arabia.
A lot like Truecaller, Dalil helps users identify and block unknown and unwanted numbers. In theory, it’s a good tool to help users dodge cold callers, stalkers, harassers, and block any other unwanted contact.
However, an investigation led by well-known whitehat hacker and activist Noam R. and the team at vpnMentor has highlighted a serious security breach in Dalil’s database. Their users’ private information is accessible to anyone via an unsecured database.
The breach raises ethical, political, privacy, and cybersecurity issues, and details of the investigation follow. However, if you are a current user of Dalil, you should be aware that the company has not responded or taken any action since being notified of the breach and the user database remains unsecured.
What Are the Security Issues?
Permissions
Like all apps, Dalil asks users to agree to a set of app permissions before they can complete the installation. While some permissions are standard, others are more unusual, like reading and modifying the stored files on your device, or accessing your exact location using GPS.
The combination of the app permissions and the unsecured database creates a serious security problem for users.
Related: NASA Data Breach Potentially Exposes Personal Information of Employees
Database issues
However suspicious Dalil’s permissions may seem, the core security issue lies with the database Dalil uses to store its user data.
The vpnMentor investigation revealed that Dalil stores user data in an unsecured, unmonitored MongoDB database. The database is accessible without authentication, which means hackers or unscrupulous companies that trade and monetize personal data have password-free access to that information.
The data about Dalil that is currently freely accessible online includes:
- First and last name;
- Phone number;
- Personal email account;
- Gender;
- Profession;
- IP address;
- Device model, token, serial number, and operating system;
- IMEI (the device’s specific identification number);
- Sim card and network provider information;
- GPS and network location information.
This amount of unsecured information is troubling. The report compiled an accurate profile of one Dalil user to demonstrate how easy it is to do so. To protect the identity of the user, we have redacted sensitive information, but the privacy team were able to locate the user’s social profiles easily. On top of that, the team could get an accurate estimate of the user’s approximate location and residential address using just the information from the database and a simple Google search.
Why It Matters
Adware
The contents of the database, such as profession, location, and gender can be used to create targeted ads. In the hands of third-party advertisers, local authorities, or illegal organizations, this raises serious privacy and security issues. If recent revelations about data mining firms like Cambridge Analytica have taught us nothing else, it’s that users should be wary of companies having access to that much data.
Malware
Information about device model and operating systems allows for highly specific malware placement. Malware is malicious software designed to disrupt, access, or take control of a device or network, usually to steal sensitive personal data or money. Targeted malware built on the contents of this database could put Dalil’s 5 million users in Saudi Arabia, Egypt, UAE, and other locations at risk of financial loss.
Political and security issues
There is darker potential use of Dalil’s unsecured database. Saudi Arabia has some of the strictest censorship laws and surveillance environments in the world. Local authorities are permitted to monitor and censor private communication made over commonly used communications apps like Viber and Facebook Messenger.
Using the contents of Dalil’s database, Saudi Arabian authorities can identify and listen in on their calls and messages.
The combination of the legal environment in Saudi Arabia, the app permissions, and the identifying details available in the open database mean that Saudi Arabian authorities could theoretically use Dalil as a conduit to track or locate users.
This should concern everyone, but it has particular relevance for journalists and bloggers, or anyone else who might be suspected of criticizing the Saudi government.
About the Investigation
The report was compiled by vpnMentor and Noam R. under the guiding principles of an ethical hacking investigation.
The probe uses port scanning to examine IP blocks and test systems for weaknesses. Each hole examined for data being leaked. The team investigated by simply installing the app and entering their own data. By doing so, they could confirm that their data was leaked and establish the identity of the database.
The team contacted Dalil before the report was published. At the time of writing, they have not received a response, and the database is still accessible.
Users of Dalil are encouraged to uninstall the app. All users are encouraged to think carefully about permissions granted to third-party applications.
About the Author: Lauren Smith
Lauren is an experienced security researcher (7 years) with a demonstrated history of working in the computer and network security industry. Her day job is working for a human rights organization and she writes for vpnMentor since 2018 at nights and weekends on her spare time.
